<!DOCTYPE html>
<html lang="en">

<head>
	

	


	

	<!--trying to figure out the canonical url issue with blogs-->
	<link rel="canonical" href="https://cybersecurity.att.com/blogs/labs-research/botenago-strike-again-malware-source-code-uploaded-to-github" />

	<title>BotenaGo strikes again - malware source code uploaded to GitHub | AT&T Alien Labs</title>

	

		

	<meta property="og:site_name" value="AT&T Cybersecurity" />
	<meta property="og:title" content="BotenaGo strikes again - malware source code uploaded to GitHub" />
	<meta property="og:url" content="https://cybersecurity.att.com/blogs/labs-research/botenago-strike-again-malware-source-code-uploaded-to-github" />
	<meta property="og:image" content="https://cdn-cybersecurity.att.com/blog-content/Blog-Images/open-graph/vulnerabilities-open-graph.jpg" />
	<meta property="og:description" content="Executive summary

In November 2021, AT&amp;T Alien Labs&trade; first published research on our discovery of new malware written in the open-source programming language Golang. The team named this malware &ldquo;BotenaGo.&rdquo; (Read previous article here.) In this article, Alien Labs is updating that research with new information.

Recently BotenaGo source code was uploaded to GitHub, potentially leading to a significant rise of new malware variants as malware authors will be able to use the s" />
		

		<script type="text/javascript" src="https://cybersecurity.att.com/public/0ff17fd0a185b3ff469a612e83b1f05f4c0011b569ef" async ></script><script type="text/javascript" src="https://platform-api.sharethis.com/js/sharethis.js#property=619c04ec1bd25500123c9511&product=inline-share-buttons" async="async"></script>

	<meta charset="utf-8">

<link rel="preconnect" href="https://cdn-cybersecurity.att.com" />
<link rel="preconnect" href="https://www.att.com" />
<link rel="preconnect" href="https://www.googletagmanager.com" crossorigin />
<link rel="preconnect" href="https://cdn.vidyard.com" crossorigin />
<link rel="preconnect" href="https://cdnjs.cloudflare.com" crossorigin />
<link rel="preconnect" href="https://www.google-analytics.com" crossorigin />
<link rel="preconnect" href="https://play.vidyard.com" crossorigin />
<link rel="preconnect" href="https://adservice.google.com" crossorigin />
<link rel="preconnect" href="https://www.facebook.com" crossorigin />
<link rel="preconnect" href="https://www.google.com" crossorigin />
<link rel="preconnect" href="https://px.ads.linkedin.com" crossorigin />


<style>.async-hide { opacity: 0 !important} </style>
<script>(function(a,s,y,n,c,h,i,d,e){s.className+=' '+y;h.start=1*new Date;
    h.end=i=function(){s.className=s.className.replace(RegExp(' ?'+y),'')};
    (a[n]=a[n]||[]).hide=h;setTimeout(function(){i();h.end=null},c);h.timeout=c;
})(window,document.documentElement,'async-hide','dataLayer',4000,
    {'GTM-WGVFC3T':true});</script>
<link rel="preload" href="https://www.googleoptimize.com/optimize.js?id=GTM-WGVFC3T" as="script">
<script async src="https://www.googleoptimize.com/optimize.js?id=GTM-WGVFC3T"></script>


<script src="https://cdn-cybersecurity.att.com/js/v2/imports/top-bundle.min.js?v=20220223925944"></script>


<link rel="preload" href="https://www.att.com/scripts/adobe/prod/edmDataDefinition.js" as="script">
<link rel="preload" href="https://www.att.com/scripts/adobe/prod/edmDataManager.js" as="script">
<link rel="preload" href="https://www.att.com/scripts/adobe/prod/marketing.min.js" as="script">
<link rel="preload" href="https://www.att.com/scripts/adobe/prod/detm_adobe.js" as="script">
<link rel="preload" href="https://www.att.com/scripts/adobe/prod/engage.min.js" as="script">






<!-- Google Tag Manager -->
<script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
})(window,document,'script','dataLayer','GTM-KLJDXJN');</script>
<!-- End Google Tag Manager -->
<script src='https://www.att.com/scripts/adobe/prod/detm-container-hdr.js' data-restrictions='target' type='text/javascript'></script>


<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="ahrefs-site-verification" content="a6fa0378625f72f89c6f290c3c7559ffee326fb9232cd87fcace798afce3e30d">
<meta name="google-site-verification" content="GTQZz4AGa47UtmP64oC5BB735pkyncjtISHOcQZbIho" />
<meta name="google-site-verification" content="dOSpKecfL6OVRkgr2KvddmhD-l-g3x8vlru1kmbqa9M" />

<link rel="preload" as="font" type="font/ttf" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/zero-width.ttf" />
<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/aleck/ATTAleckSans-Bold.woff2" />
<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/aleck/ATTAleckSans-Regular.woff2" />
<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/aleck/ATTAleckSans-Light.woff2" />
<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/aleck/ATTAleckSans-Medium.woff2" />


<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/aleck/ATTAleckSans-LightItalic.woff2" />
<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/aleck/ATTAleckSans-BoldItalic.woff2" />
<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/aleck/ATTAleckSans-MediumItalic.woff2" />
<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/aleck/ATTAleckSans-Italic.woff2" />
<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/aleck/ATTAleckSans-Black.woff2" />

<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/css/fonts/glyphicons-halflings-regular.woff2" />
<link rel="preload" as="font" type="font/ttf" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/av-icons.ttf?e81fxl" />



<link rel="preload" as="style" href="https://cdn-cybersecurity.att.com/css/sass/main.min.css?v=20220223925944" />
<link rel="apple-touch-icon" sizes="144x144" href="https://cdn-cybersecurity.att.com/images/uploads/apple-touch-icon.png"/>
<link rel="icon" type="image/png" sizes="32x32" href="https://cdn-cybersecurity.att.com/images/uploads/favicon.ico"/>
<link rel="shortcut icon" href="https://cdn-cybersecurity.att.com/images/uploads/favicon.ico">
<link rel="manifest" href="https://cdn-cybersecurity.att.com/manifest.json">

<link rel="stylesheet" href="https://cdn-cybersecurity.att.com/css/sass/main.min.css?v=20220223925944" />








<script>
	var customAdobeTrackingPageLoadObj = {};
	if (typeof ddo !== "undefined") {initAdobePageTrackingHeader();}
	function adobeVideoCommenceVidyard(player) {
		var commenceEvent = {
			successFlag: 1,
			statusCode: 0,
			errorType: "Success_Admit",
			linkDestinationUrl: window.location.href,
			mediaId: player.uuid,
			mediaFriendlyName: player.metadata.name,
			videoType: "VOD",
			mediaPlayerName: "Vidyard",
			mediaCategory: "Security",
			mediaType: "Video",
			mediaClass: "Video",
			videoLengthTotal: player.metadata.length_in_seconds
		};
		if (typeof ddo !== "undefined") {
			ddo.pushEvent('video', 'Video_Commence', commenceEvent);
		}
	}
	function adobeVideoUpdateVidyard(player) {
		var updateEvent = {
			successFlag: 1,
			statusCode: 0,
			errorType: "Success_Admit",
			linkDestinationUrl: window.location.href,
			mediaId: player.uuid,
			mediaFriendlyName: player.metadata.name,
			videoType: "VOD",
			mediaPlayerName: "Vidyard",
			mediaCategory: "Security",
			mediaType: "Video",
			mediaClass: "Video",
			videoLengthTotal: player.metadata.length_in_seconds,
			videoLengthViewed: Math.floor(player.status.currentTime),
			videoProgressPercent: Math.ceil((player.status.currentTime / player.metadata.length_in_seconds) * 100)
		};
		if (typeof ddo !== "undefined") {
			ddo.pushEvent('video', 'Video_Update', updateEvent);
		}
	}

	function initAdobePageTrackingHeader() {
		ddo.disableAutoPageLoad();
		document.addEventListener('click', function (event) {
			var target = event.target;
			if (!target.href || !target.text) { return true; }
			var linkEvent = {
				slotFriendlyName: "link-click",
				contentFriendlyName: "Link Click",
				mediaCategory: "Security"
			};
			linkEvent.linkName = target.text;
			linkEvent.linkDestinationUrl = target.href;
			if (target.href.indexOf('#watch-') >= 0) {
				linkEvent.slotFriendlyName = 'watch-video';
				linkEvent.contentFriendlyName = 'Watch Video';
				linkEvent.linkName = 'Watch Video';
			}
			ddo.pushEvent("linkClick", "Link_Click", linkEvent);
		});
		
		customAdobeTrackingPageLoadObj['page.location.url'] = '/blogs/labs-research/botenago-strike-again-malware-source-code-uploaded-to-github';


		
		
		    customAdobeTrackingPageLoadObj['page.category.siteSubSection1'] = 'blogs';
		


		
		
			customAdobeTrackingPageLoadObj['page.category.siteSubSection2'] = 'labs-research';
		



		
		
			customAdobeTrackingPageLoadObj['page.category.siteSubSection3'] = 'botenago-strike-again-malware-source-code-uploaded-to-github';
		


		
		

		
		


		
			customAdobeTrackingPageLoadObj['page.media.objective'] = 'Awareness';
		

		
	}
</script>


<script type="text/javascript">
    var _elqQ = _elqQ || [];
    _elqQ.push(['elqSetSiteId', '1086385399']);

    _elqQ.push(['elqUseFirstPartyCookie', 'cyber-tracking.att.com']);

    _elqQ.push(['elqTrackPageView', window.location.href]);

    (function () {
        function async_load() {
            var s = document.createElement('script'); s.type = 'text/javascript'; s.async = true;
            s.src = '//img03.en25.com/i/elqCfg.min.js';
            var x = document.getElementsByTagName('script')[0]; x.parentNode.insertBefore(s, x);
        }
        if (window.addEventListener) window.addEventListener('DOMContentLoaded', async_load, false);
        else if (window.attachEvent) window.attachEvent('onload', async_load);
    })();
</script>


	<link rel="alternate" type="application/rss+xml" title="AlienVault Open Threat Exchange Blog" href="/site/blog-all-rss" />

	<style>


	.section-breadcrumb ol {
    margin-top: 0px !important;
    margin-bottom: 10px;
	}

	.flexible-layout .section-breadcrumb ol li a,
	.flexible-layout .section-breadcrumb ol li{
    	color: #000;
    	font-size: 12px;
	}

	.section-breadcrumb .glyphicon {
    font-size: 10px;
    line-height: 10px;
    font-weight: 300;
    color: #000!important;
	}

	.blog-author-info {
		width: 70%;
		float: left;
		color: #191919;
	}

	.blog-subscribe-grid ul {
		margin-left: 0px;
		margin-bottom: 0px;
		padding-left: 0px;
	}

	.blog-subscribe-grid ul li {
		list-style-type: none;
		line-height: 20px;
	}

	.blog-subscribe-grid ul li a {
		color: #c6ced5;
		font-size: 14px;
		text-decoration: none;
	}

	.blog-subscribe-grid ul li a:hover {
		text-decoration: underline;
	}

	.blog-content-area img {
		width: 100%!important;
		height: auto!important;
	}

	.blog-promo-item {
		clear: both;
		overflow: hidden;
		margin-bottom: 30px;
	}
	.promo-block .small {
		text-transform: uppercase;
	}

	.blog-promo-item-text {
		width: 345px;
		float: left;
		max-width:100%;
	}

	.blog-promo-item p {
		margin-bottom: 0px!important;
	}






	#blog-promo-block {
		padding-top: 20px;
	}



	/*promo block and sticky classes*/

	.sticky-sidebar {
		top: 147px;
		position: -webkit-sticky; /* Safari */
		position: sticky;
	}
	     .sidebar-search {
			 margin-bottom: 30px;
		 }

         .sidebar-search .search-button {
                width: 100%;
                position: relative;
            }

            .sidebar-search .search-button input {
                padding: 0px;
                margin: 2px 0px 0px 0px;
                position: absolute;
                background: url(https://cdn-cybersecurity.att.com/images/icn-sidebar-search.png) top left no-repeat;
                background-size: 25px 25px;
                width: 25px;
                height: 25px;
                cursor: pointer;
                text-indent: -9999em;
                border: none;
                left: 10px;
                top: 6px;
             }

			.sidebar-search .search-field input {
                border: 0;
                width: 100%;
                height: 30px;
                padding-left: 50px;
				margin-top: 5px;
            }

            .sidebar-search .search-field {
                border: 1px solid #CCCCCC;
                width: 100%;
                height: 40px;
            }

            #q::placeholder {
          		color: #767676!important;
            }

            #blog-subscribe-box {
			height:auto;
            padding: 32px;
            background-image: url('https://cdn-cybersecurity.att.com/images/uploads/backgrounds/blog-email-subscribe-bkg.jpg');
            background-size: cover;
            }

            #blog-subscribe-box h2 {
            color: #fff;
            font-size:32px;
            }

			#blog-subscribe-box p {
				margin-bottom: 10px;
			}






	@media (max-width: 991px) {
            .sidebar-search .search-button input {
                padding: 0px;
                background: transparent;
                cursor: pointer;
                text-indent: -9999em;
                border: none;
                right: 5px;
                top: 5px;
                padding-left: 0px;
             }

            .sidebar-search .search-field input {
             padding-left: 15px;
             }


            }

            	@media (min-width: 768px) and (max-width: 920px){
	.blog-subscribe-grid .btn {
		border-radius: 24px;
	    font-size: 12px;
	    line-height: 18px;
	    border: none;
	    padding: 6px 36px;
	    height: 30px;
	    font-weight: 500;
	}
}


		.blog-content-area p,
		.blog-content-area ul li,
		.blog-content-area ol li{
			font-size: 16px;
			line-height: 20px;
			font-weight: 400;
		}
		.blog-content-area ul li,
		.blog-content-area ol li {
			margin-bottom: 10px;
		}

		.blog-content-area {
		margin-top: 30px;
		}

		.flexible-layout .section-breadcrumb {
		margin-bottom: 30px;
		}

		.blog-detail h1 {
    		color: #000;
			background: transparent;
    		padding: 0px;
		}

		.blog-title-date-author-area {
			padding-bottom: 20px;
			border-bottom: #959595 1px solid;
		}

		.blog-body {
		padding-top: 20px;
		}


		.blog-detail .blog-categories {
    background-color: transparent;
    border-bottom: 1px solid #959595;
    border-top: 1px solid #959595;
    padding: 20px 0px 20px 0px;
    color: #000;
    margin: 30px 0px;
    font-size: 16px;
    line-height: 24px;
	font-weight: 400;
	}

	.blog-detail .blog-categories a {
	font-weight: 400;
	}

	.blog-share {
	margin-top: 60px;
	text-align: center;
	margin-bottom: 60px;
	}

	.blog-listing-social {
		display: block;
	}

	#st-1 .st-btn {
	  border-radius: 25px!important;
	  border: none;
	  cursor: pointer;
	  display: inline-block;
	  font-size: 12px;
	  height: 45px!important;
	  line-height: 40px!important;
	  margin-right: 8px;
	  padding: 0 10px;
	  position: relative;
	  text-align: center;
	  top: 0;
	  vertical-align: top;
	  white-space: nowrap;
	  margin-right: 20px!important;
	}

	#st-1 .st-btn > img {
	  display: inline-block;
	  height: 25px!important;
	  width: 25px!important;
	  position: relative;
	  top: 10px;
	  vertical-align: top;
	  }

	  #st-1 .st-btn[data-network='email'] {
	  	background-color: #e0752d!important;
	  }

	  .st-first {
	  	margin-left: 20px!important;
	  }

	</style>

</head>

	<body class="listing-blog-entry-id-7609">
			<!-- Google Tag Manager (noscript) -->
<noscript><iframe src='https://www.googletagmanager.com/ns.html?id=GTM-KLJDXJN'
height='0' width='0' style='display:none;visibility:hidden'></iframe></noscript>
<!-- End Google Tag Manager (noscript) -->
<script src='https://www.att.com/scripts/adobe/prod/detm-container-ftr.js' type='text/javascript'></script>


		<header id="header" class="navbar navbar-fixed-top">

	<style>
@media (max-width: 543px) {
	.hide-on-mobile {
		display: none;
	}
}
</style>

<div id="news-banner">
    <div class="container-fluid">
        <div class="row vcenter">
            <div class="col-sm-12">

                <div id="news-headline-link">
					<a href="/products/strategy-and-roadmap/sase-readiness" class="text-white">
						Start your SASE readiness consultation today.
						<span class="hide-on-mobile">Learn more</span> &LongRightArrow;
					</a>
                </div>
				<div id="search-contact">
					<ul class="list-unstyled header_nav_top_list">
						<li class="header_nav_top_list_item"><a id="top-nav-support" href="/support">Support</a></li>
						<li class="header_nav_top_list_item"><a id="top-nav-contact" href="/contact">Contact</a></li>
						<li class="header_nav_top_list_item search">
							<form action="/search-results" method="get" id="top-search-form" __bizdiag="113" __biza="WJ__"><input name="q" id="top-search-form-text" type="text" placeholder="Search" aria-label="Search"><button type="submit"><span class="glyphicon glyphicon-search"></span></button></form>

						</li>
					</ul>
				</div>
            </div>
        </div>
    </div>
</div>






	<div id="header-container" class="container-fluid">
		<div id="header-logo">
			<div class="logo-globe"><a href="https://business.att.com" target="_blank"><img src="https://cdn-cybersecurity.att.com/images/uploads/logos/att-globe.svg" alt="AT&amp;T Business" /></a></div>
			<div class="att-business"><a href="https://business.att.com" target="_blank"><img src="https://cdn-cybersecurity.att.com/images/uploads/logos/att-business-web.svg" alt="AT&amp;T Business" /></a></div>
			<div class="att-cybersecurity"><a href="/"><img src="https://cdn-cybersecurity.att.com/images/uploads/logos/att-cybersecurity-web.svg" alt="AT&amp;T Cybersecurity" /></a></div>
		</div>

		<button type="button" class="header_toggle_nav navbar-toggle collapsed" data-toggle="collapse" data-target="#header-nav" aria-expanded="false">
			<span class="sr-only">Toggle navigation</span>
			<span class="avicon avicon-bars"></span>
			<span class="avicon avicon-close"></span>
		</button>
		
		
			<a href="/contact" id="header-cta" class="hidden-md hidden-lg btn btn-blue btn-sm">Contact us</a>
		

		<nav class="navbar-collapse collapse" id="header-nav">
			<ul class="nav navbar-nav list-unstyled">
				<li class="nav-item mobile-search visible-sm visible-xs">
					<form action="/search-results" method="get" id="mobile-search-form" __bizdiag="113" __biza="WJ__"><input name="q" id="mobile-search-form-text" type="text" placeholder="Search" aria-label="Search"><button type="submit"><span class="glyphicon glyphicon-search"></span></button></form>
				</li>
				<li class="nav-item has-dd products">
					<a id="main-nav-products" href="/products" class="dropdown-toggle" data-toggle="collapse" role="button" aria-expanded="false" data-target="#products-dd">Products<span class="glyphicon glyphicon-chevron-up"></span><span class="glyphicon glyphicon-chevron-down"></span>
					</a>
					<div class="nav-dropdown collapse" id="products-dd">
						<div class="dd-multi-col container-fluid">
							<ul class="list-unstyled sub-nav">
									<li id="first-sub-cyber-strategy-risk"><a href="/categories/cybersecurity-consulting-services" class="first-level">Cybersecurity Consulting Services</a>
										<div class="desktop-subnav open">
											<ul class="list-unstyled">
												<li class="second-sub-heading">Cyber Strategy</li>
												<li class="second-sub-link"><a href="/products/strategy-and-roadmap">Strategy and Roadmap Planning</a></li>

												<li class="second-sub-link"><a href="/products/security-assessment">Enterprise Security Assessment Services</a></li>
												<li class="second-sub-link"><a href="/products/risk-based-cyber-posture-assessment">Risk-based Cyber Posture Assessment</a></li>
											</ul>
											<ul class="list-unstyled">
												<li class="second-sub-heading">Risk and Compliance</li>
												<li class="second-sub-link"><a href="/products/security-compliance">Security Compliance</a></li>
											</ul>
											<ul class="list-unstyled">
												<li class="second-sub-heading">Vulnerability and Threat Management</li>
												<li class="second-sub-link"><a href="/products/managed-vulnerability-program">Managed Vulnerability Program</a></li>
												<li class="second-sub-link"><a href="/products/penetration-testing-services">Penetration Testing</a></li>
												<li class="second-sub-link"><a href="/products/adversary-simulation-service">Adversary Simulation Services</a></li>
												<li class="second-sub-link"><a href="/products/incident-response">Incident Response Services</a></li>
											</ul>
											<ul class="list-unstyled">
												<li class="second-sub-heading">CSO Advisory Services</li>
												<li class="second-sub-link"><a href="/products/cybersecurity-iq-training">Cybersecurity IQ Training</a></li>
											</ul>
										</div>
										<div class="mobile-subnav">
											<ul class="list-unstyled sub-nav">
												<li class="second-sub-link"><a href="/products/strategy-and-roadmap">Strategy and Roadmap Planning</a></li>
												<li class="second-sub-link"><a href="/products/security-assessment">Enterprise Security Assessment Services</a></li>
												<li class="second-sub-link"><a href="/products/risk-based-cyber-posture-assessment">Risk-based Cyber Posture Assessment</a></li>

												<li class="second-sub-link"><a href="/products/security-compliance">Security Compliance</a></li>

												<li class="second-sub-link"><a href="/products/managed-vulnerability-program">Managed Vulnerability Program</a></li>

												<li class="second-sub-link"><a href="/products/penetration-testing-services">Penetration Testing</a></li>
												<li class="second-sub-link"><a href="/products/adversary-simulation-service">Adversary Simulation Services</a></li>
												<li class="second-sub-link"><a href="/products/incident-response">Incident Response Services</a></li>
												<li class="second-sub-link"><a href="/products/cybersecurity-iq-training">Cybersecurity IQ Training</a></li>
											</ul>
										</div>
									</li>
                                    <li id="first-sub-managed-security-services"><a href="/categories/managed-security-services" class="first-level">Managed Security Services</a>
                                        <div class="desktop-subnav">
                                            <ul class="list-unstyled">
                                                <li class="second-sub-heading">Network Security</li>
												<li class="second-sub-link"><a href="/products/secure-web-gateway">Secure Web Gateway</a></li>
												<li class="second-sub-link"><a href="/products/secure-remote-access">Secure Remote Access</a></li>
                                                <li class="second-sub-link"><a href="/products/sase-branch-with-fortinet">SASE Branch with Fortinet</a></li>
												<li class="second-sub-link"><a href="/products/sase-with-palo-alto-networks">SASE with Palo Alto Networks</a></li>
                                                <li class="second-sub-link"><a href="/products/reactive-ddos-services">Reactive Distributed Denial of Service Defense</a></li>
                                                <li class="second-sub-link"><a href="/categories/network-security">View All</a></li>
                                            </ul>
                                            <ul class="list-unstyled">
                                                <li class="second-sub-heading">Threat Detection</li>
                                                <li class="second-sub-link"><a href="/products/managed-threat-detection-and-response">Managed Threat Detection and Response</a></li>
                                            </ul>
                                            <ul class="list-unstyled">
                                                <li class="second-sub-heading">Endpoint Security</li>
                                                <li class="second-sub-link"><a href="/products/sentinel-one">SentinelOne</a></li>
                                                <li class="second-sub-link"><a href="/products/mobile-iron">MobileIron</a></li>
                                                <li class="second-sub-link"><a href="/products/lookout">Lookout Mobile Endpoint Security</a></li>
                                            </ul>

                                        </div>
                                        <div class="mobile-subnav">
                                            <ul class="list-unstyled sub-nav">
												<li class="second-sub-link"><a href="/products/secure-web-gateway">Secure Web Gateway</a></li>
												<li class="second-sub-link"><a href="/products/secure-remote-access">Secure Remote Access</a></li>
                                                <li class="second-sub-link"><a href="/products/sase-branch-with-fortinet">SASE Branch with Fortinet</a></li>
												<li class="second-sub-link"><a href="/products/sase-with-palo-alto-networks">SASE with Palo Alto Networks</a></li>
                                                <li class="second-sub-link"><a href="/products/reactive-ddos-services">Reactive Distributed Denial of Service Defense</a></li>
                                                <li class="second-sub-link"><a href="/products/managed-threat-detection-and-response">Managed Threat Detection and Response</a></li>
                                                <li class="second-sub-link"><a href="/products/sentinel-one">SentinelOne</a></li>
                                                <li class="second-sub-link"><a href="/products/mobile-iron">MobileIron</a></li>
                                                <li class="second-sub-link"><a href="/products/lookout">Lookout Mobile Endpoint Security</a></li>
                                            </ul>
                                        </div>
                                    </li>
									<li id="first-sub-network-security"><a href="/categories/network-security" class="first-level">Network Security</a>
										<div class="desktop-subnav">
											<ul class="list-unstyled">
												<li class="second-sub-heading">AT&T Trusted Internet Access</li>
												<li class="second-sub-link"><a href="/products/secure-web-gateway">Secure Web Gateway</a></li>
												<li class="second-sub-link"><a href="/products/secure-remote-access">Secure Remote Access</a></li>
												<li class="second-sub-link"><a href="/products/network-based-firewall">Network Based Firewalls</a></li>
												<li class="second-sub-link"><a href="/products/premises-based-firewall">Premises Based Firewalls</a></li>
												<li class="second-sub-link"><a href="/products/enhanced-access-security">Enhanced Cybersecurity Services</a></li>
											</ul>
											<ul class="list-unstyled">
												<li class="second-sub-heading">AT&T Infrastructure and Application Protection</li>
												<li class="second-sub-link"><a href="/products/reactive-ddos-services">Reactive Distributed Denial of Service Defense</a></li>
												<li class="second-sub-link"><a href="/products/application-layer-security">AT&T Application Layer Security</a></li>
											</ul>
										</div>
										<div class="mobile-subnav">
											<ul class="list-unstyled sub-nav">
												<li class="second-sub-heading">AT&T Trusted Internet Access</li>
												<li class="second-sub-link"><a href="/products/secure-web-gateway">Secure Web Gateway</a></li>
												<li class="second-sub-link"><a href="/products/secure-remote-access">Secure Remote Access</a></li>
												<li class="second-sub-link"><a href="/products/network-based-firewall">Network Based Firewalls</a></li>
												<li class="second-sub-link"><a href="/products/premises-based-firewall">Premises Based Firewalls</a></li>
												<li class="second-sub-link"><a href="/products/enhanced-access-security">Enhanced Cybersecurity Services</a></li>

												<li class="second-sub-heading">AT&T Infrastructure and Application Protection</li>
												<li class="second-sub-link"><a href="/products/reactive-ddos-services">Reactive Distributed Denial of Service Defense</a></li>
												<li class="second-sub-link"><a href="/products/application-layer-security">AT&T Application Layer Security</a></li>
											</ul>
										</div>
									</li>
									<li id="first-sub-unified-endpoint"><a href="/categories/endpoint-security" class="first-level">Endpoint Security</a>
										<div class="desktop-subnav">
											<ul class="list-unstyled">
												<li class="second-sub-heading">Endpoint Security</li>
												<li class="second-sub-link"><a href="/products/sentinel-one">SentinelOne</a></li>
												<li class="second-sub-link"><a href="/products/mobile-iron">MobileIron</a></li>
												<li class="second-sub-link"><a href="/products/vmware">VMware Workspace ONE®</a></li>
												<li class="second-sub-link"><a href="/products/ibm-maas360">IBM MaaS360</a></li>
												<li class="second-sub-link"><a href="/products/lookout">Lookout Mobile Endpoint Security</a></li>
												<li class="second-sub-link"><a href="/products/mcafee-endpoint-protection">McAfee Endpoint Protection</a></li>
											</ul>
										</div>
										<div class="mobile-subnav">
											<ul class="list-unstyled sub-nav">
													<li class="second-sub-link"><a href="/products/sentinel-one">SentinelOne</a></li>
													<li class="second-sub-link"><a href="/products/mobile-iron">MobileIron</a></li>
													<li class="second-sub-link"><a href="/products/vmware">VMware Workspace ONE®</a></li>
													<li class="second-sub-link"><a href="/products/ibm-maas360">IBM MaaS360</a></li>
													<li class="second-sub-link"><a href="/products/lookout">Lookout Mobile Endpoint Security</a></li>
													<li class="second-sub-link"><a href="/products/mcafee-endpoint-protection">McAfee Endpoint Protection</a></li>
											</ul>
										</div>
									</li>
									<li id="first-sub-threat-detection-response"><a href="/categories/threat-detection-and-response" class="first-level">Threat Detection and Response</a>
										<div class="desktop-subnav">

											<ul class="list-unstyled sub-nav">
												<li class="second-sub-heading">AT&T Threat Solutions</li>
												<li class="second-sub-link"><a href="/products/managed-threat-detection-and-response">Managed Threat Detection and Response</a></li>
												<li class="second-sub-link"><a href="/products/threat-detection-and-responses-for-government">Threat Detection and Response for Government</a></li>
												<li class="second-sub-link"><a href="/products/usm-anywhere">USM Anywhere</a></li>
												<li class="second-sub-link"><a href="/products/usm-anywhere-advisors">USM Anywhere Advisors</a></li>
												<li class="second-sub-link"><a href="/products/usm-for-mssp">XDR for MSSPs</a></li>
											</ul>

											<div id="products-tdr-menu-image">
												<a href="/alien-labs">
													<img src="https://cdn-cybersecurity.att.com/images/uploads/icons/alien-labs.svg" alt="">
													<p >Powered by<br>AT&amp;T Alien Labs</p>
												</a>
											</div>
										</div>
										<div class="mobile-subnav">
											<ul class="list-unstyled sub-nav">

												<li class="second-sub-heading">AT&T Threat Solutions</li>
												<li class="second-sub-link"><a href="/products/managed-threat-detection-and-response">Managed Threat Detection and Response</a></li>
												<li class="second-sub-link"><a href="/products/threat-detection-and-responses-for-government">Threat Detection and Response for Government</a></li>

												<li class="second-sub-link"><a href="/products/usm-anywhere">USM Anywhere</a></li>
												<li class="second-sub-link"><a href="/products/usm-anywhere-advisors">USM Anywhere Advisors</a></li>
												<li class="second-sub-link"><a href="/products/usm-for-mssp">XDR for MSSPs</a></li>

												</ul>
										</div>
									</li>

							</ul>
						</div>
						<!--<div class="dd-bottom visible-lg" id="view-all-products">
							<div class="container-fluid">
								<a href="/products">
									<span class="view-all-text">View All Products &LongRightArrow;</span>
								</a>
							</div>
						</div>-->
					</div>
				</li>
				<li class="nav-item has-dd solutions">
					<a id="main-nav-solutions" href="/solutions" class="dropdown-toggle" data-toggle="collapse" role="button" aria-expanded="false" data-target="#solutions-dd">Solutions<span class="glyphicon glyphicon-chevron-up"></span><span class="glyphicon glyphicon-chevron-down"></span></a>
					<div class="nav-dropdown collapse" id="solutions-dd">
						<div class="dd-multi-col container-fluid">
							<ul class="list-unstyled sub-nav hidden-md hidden-lg">
								<li><a id="main-nav-see-all-solutions-mobile" href="/solutions" class="header_nav_link">See All Solutions</a></li>
							</ul>
							<div id="compliance">
								<div class="menu-header">Compliance</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/solutions/it-compliance-management">Overview</a></li>
									<li><a href="/solutions/gdpr-compliance">GDPR</a></li>
									<li><a href="/solutions/hipaa-compliance">HIPAA</a></li>
									<li><a href="/solutions/iso-27001-compliance">ISO 27001</a></li>
									<li><a href="/solutions/pci-dss-compliance">PCI DSS</a></li>
									<li><a href="/solutions/soc-2-compliance">SOC 2</a></li>
								</ul>
							</div>
							<div id="industry">
								<div class="menu-header">Industry</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/solutions/education">Education</a></li>
									<li><a href="/solutions/energy-sector-security">Energy Sector</a></li>
									<li><a href="/solutions/government">Federal</a></li>
									<li><a href="/solutions/financial-services">Financial Services</a></li>
									<li><a href="/solutions/healthcare">Healthcare</a></li>
									<li><a href="/solutions/manufacturing">Manufacturing</a></li>
									<li><a href="/partners/mssp-program">MSSPs</a></li>
									<li><a href="/solutions/retail">Retail</a></li>
								</ul>
							</div>
							<div id="environment">
								<div class="menu-header">Environment</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/solutions/5g-security-solutions">5G</a></li>
									<li><a href="/solutions/aws-security-and-compliance-management">AWS</a></li>
									<li><a href="/solutions/azure-security-and-compliance-management">Azure</a></li>
									<li><a href="/solutions/cloud-security">Cloud</a></li>
									<li><a href="/solutions/iot-and-mobility-security">IOT/Mobility</a></li>
									<li><a href="/solutions/hybrid-cloud-security">Hybrid</a></li>
									<li><a href="/solutions/network-security">Network</a></li>
									<li><a href="/solutions/remote-workforce-security">Remote Workforce</a></li>

								</ul>
							</div>
							<div id="core-capabilities">
								<div class="menu-header">Security Use Cases</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/solutions/intrusion-detection-system">Intrusion Detection</a></li>
									<li><a href="/solutions/secure-access-service-edge">Secure Access Service Edge</a></li>
									<li><a href="/solutions/secure-web-gateway">Secure Web Gateway</a></li>
									<li><a href="/solutions/siem-platform-solutions ">SIEM Platform Solutions</a></li>
									<li><a href="/solutions/extended-detection-and-response">XDR</a></li>
									<li><a href="/solutions/zero-trust-architecture">Zero Trust Architecture</a></li>

								</ul>
							</div>
						</div>
						<div class="dd-bottom visible-md visible-lg" id="view-all-solutions">
							<div class="container-fluid">
								<a href="/solutions">
									<span class="view-all-text">View All Solutions &LongRightArrow;</span>
								</a>
							</div>
						</div>
					</div>
				</li>
				<li class="nav-item has-dd partners">
					<a id="main-nav-partners" href="/partners" class="dropdown-toggle" data-toggle="collapse" role="button" aria-expanded="false" data-target="#partners-dd">Partners<span class="glyphicon glyphicon-chevron-up"></span><span class="glyphicon glyphicon-chevron-down"></span></a>
					<div class="nav-dropdown collapse" id="partners-dd">
						<div class="dd-multi-col container-fluid">
							<ul class="list-unstyled sub-nav hidden-md hidden-lg">
								<li><a id="main-nav-partners-mobile" href="/partners/become-a-partner">Become a Partner</a></li>
							</ul>
							<div id="become-a-partner">
								<div class="menu-header">Become a Partner</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/partners">All Partner Programs</a></li>
									<li><a href="/partners/mssp-program">MSSP Program</a></li>
									<li><a href="/partners/resellers">Reseller Program</a></li>
									<li><a href="/partners/partner-portal/">Partner Portal Login</a></li>
								</ul>
							</div>

							<div id="find-a-partner">
								<div class="menu-header">Find a Partner</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/partners/find-partner">Find an MSSP</a></li>
									<li><a href="/partners/locator">Find a Reseller</a></li>
									<li><a href="/partners/certified-implementation-partners">Professional Services</a></li>
								</ul>
							</div>
							<div id="technology-partners">
								<div class="menu-header">Technology Partners</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/app">USM Anywhere Integrations</a></li>
									<li><a href="/partners/technology-partners">OTX Partners</a></li>
								</ul>
							</div>
						</div>
						<div class="dd-bottom visible-md visible-lg" id="view-all-partners">
							<div class="container-fluid">
								<a href="/partners/become-a-partner">
									<span class="view-all-text">Become a Partner &LongRightArrow;</span>
								</a>
							</div>
						</div>
					</div>
				</li>
				<li class="nav-item has-dd resources">
					<a id="main-nav-resources" href="/resource-center#language_en" class="dropdown-toggle" data-toggle="collapse" role="button" aria-expanded="false" data-target="#resources-dd">Resources<span class="glyphicon glyphicon-chevron-up"></span><span class="glyphicon glyphicon-chevron-down"></span></a>
					<div class="nav-dropdown collapse" id="resources-dd">
						<div class="dd-multi-col container-fluid">

							<div id="resources-menu-image" class="visible-lg">
								<img src="https://cdn-cybersecurity.att.com/images/uploads/thehub-thumbnail.jpg">
								<p>Explore The Hub, our home for all virtual experiences</p>
								<a href="https://hub.att.com/expo-hall/cybersecurity/">Explore now ⟶</a>
							</div>

							<ul class="list-unstyled sub-nav hidden-md hidden-lg">
								<li><a id="main-nav-resources-mobile" href="/resource-center#language_en">View All Resources</a></li>

							</ul>

							<div id="product-resources">
								<div class="menu-header">Product Resources</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/resource-center#content_customer-stories">Customer Stories</a></li>
									<li><a href="/resource-center#content_product-brief">Product Briefs</a></li>
									<li><a href="/resource-center#content_product-demo">Product Demos</a></li>
									<li><a href="/resource-center#content_product-review">Product Reviews</a></li>
									<li><a href="/resource-center#content_solution-brief">Solution Briefs</a></li>
									<li><a href="/resource-center#content_use-cases">Use Cases</a></li>

									<li><a id="free-trial" href="/products/usm-anywhere/free-trial">Free Trial</a></li>
								</ul>
							</div>
							<div id="security-resources">
								<div class="menu-header">Security Resources</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/resource-center#content_analyst-reports">Analyst Reports</a></li>
									<li><a href="/blogs">Blogs</a></li>
									<li><a href="/resource-center#content_ebook">eBooks</a></li>
									<li><a href="/resource-center#content_video">Videos</a></li>
									<li><a href="/resource-center#content_webcast">Webcasts</a></li>
									<li><a href="/resource-center#content_white-paper">White Papers</a></li>
									<li><a href="/resource-center#content_industry-reports">Industry Reports</a></li>
								</ul>
							</div>
							<div id="customer-resources">
								<div class="menu-header">Customer Resources</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="https://success.alienvault.com/">Success Center</a></li>
									<li><a href="/certification">Certification</a></li>
									<li><a href="/customer-success">Customer Success</a></li>
									<li><a href="/documentation">Documentation</a></li>
									<li><a href="/partners/certified-implementation-partners">Professional Services</a></li>
									<li><a href="/support">Support Overview</a></li>
									<li><a href="/training">Training</a></li>
								</ul>
							</div>
							<div id="browse-by-topic">
								<div class="menu-header">Browse by Topic</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/resource-center#category_incident-response">Incident Response</a></li>
									<li><a href="/resource-center#category_intrusion-detection">Intrusion Detection</a></li>
									<li><a href="/resource-center#category_partner-mssp-reseller">Partner: MSSP &amp; Reseller</a></li>
									<li><a href="/resource-center#category_regulatory-compliance">Regulatory Compliance</a></li>
									<li><a href="/resource-center#category_soc">Security Operations Center</a></li>
									<li><a href="/resource-center#category_siem-log-management">SIEM &amp; Log Management </a></li>
									<li><a href="/resource-center#category_threat-detection">Threat Detection</a></li>
									<li><a href="/resource-center#category_threat-intelligence">Threat Intelligence</a></li>
								</ul>
							</div>
						</div>

						<div class="dd-bottom visible-md visible-lg" id="view-all-resources">
							<div class="container-fluid">
								<a href="/resource-center#language_en">
									<span class="view-all-text">View All Resources &LongRightArrow;</span>
								</a>
							</div>
						</div>

					</div>
				</li>
				<li class="nav-item alien-labs">
					<a id="main-nav-alien-labs" href="/alien-labs" class="">AT&T Alien Labs</a>
				</li>
				<li class="nav-item visible-sm visible-xs">
					<a id="main-nav-contact" href="/contact">Contact</a>
				</li>
				<li class="nav-item support visible-sm visible-xs">
					<a id="main-nav-support" href="/support">Support</a>
				</li>

			</ul>
		</nav>

	</div>

	<div class="container-fluid visible-md visible-lg">
		
		
			<a id="main-nav-free-tools" class="header-nav-btn btn margin-bottom10" href="/pricing/request-quote">Get price</a>
		


	</div>
</header>

						




			<main class="blog-detail flexible-layout">
		<section id="blog-top-subnav" class="blog-subnav">
	<div class="blog-top-subnav-wrap">
		<div class="container-fluid">
			<div class="row">
				<ul id="blog-top-subnav-list">
					<li>Categories:</li>
					<li class=""><a href="/blogs">All
							blogs</a></li>
					<li class=""><a
							href="/blogs/security-essentials">Security essentials</a></li>
					<li class="active"><a href="/blogs/labs-research">AT&T Alien
							Labs research</a></li>
				</ul>
				<div class="blog-search search hidden visible-lg visible-md">
					<form action="/search-results" method="get" id="blog-search-form" __bizdiag="113" __biza="WJ__">
						<input name="q" id="blog-search-form-text" type="text" placeholder="Search"
							aria-label="Search"><button type="submit"><span
								class="glyphicon glyphicon-search"></span></button></form>
				</div>
				<div class="blog-top-subnav-mobile-wrap clearfix">
					<a href="#" class="ddm-toggle collapsed" data-toggle="collapse"
						data-target="#blog-top-subnav-mobile">Categories <i class="down"></i></a>
					<ul id="blog-top-subnav-mobile" class="collapse">
						<li class=""><a href="/blogs">All
								blogs</a></li>
						<li class=""><a
								href="/blogs/security-essentials">Security essentials</a></li>
						<li class="active"><a href="/blogs/labs-research">AT&T
								Alien Labs research</a></li>
						<li>
							<div class="blog-search search margin-bottom20">
								<form action="/search-results" method="get" id="blog-search-form" __bizdiag="113"
									__biza="WJ__"><input name="q" id="blog-search-form-text" type="text"
										placeholder="Search" aria-label="Search"><button type="submit"><span
											class="glyphicon glyphicon-search"></span></button></form>
							</div>
						</li>
					</ul>
				</div>
			</div>
		</div>
	</div>
</section>

<style>
	

	/* for snap scrolling */
	.blog-subnav {
		position: relative;
		min-height: 0 !important;
    	height: 40px;
	}
	@media (max-width:991px) {
		.blog-subnav {
			height: 60px;
			line-height:60px;
		}

	}

	.blog-top-subnav-wrap {
		position: relative;
		margin-right: 0px;
		background: #f2f2f2;
	}

	.blog-top-subnav-wrap.affix {
		position: fixed;
		width: 100%;
		top: 0;
		left: 0;
	}

	.blog-top-subnav-wrap.transition-primary {
		overflow: hidden;
		-webkit-transition: transform .3s ease;
		transition: transform .3s ease;
	}

	.blog-top-subnav-wrap.transition-primary.scroll-affix {
		transform: translateY(0) !important;
	}


	.hh .blog-top-subnav-wrap.affix.transition-primary {
		height: auto;
	}

	.hh .blog-top-subnav-wrap {
		min-height: auto;
	}

	.hh .blog-top-subnav-wrap {
		position: relative;
		transform: translateY(0);
	}

	.hh .blog-top-subnav-wrap.affix {
		position: fixed;
		width: 100%;
		top: 0;
		left: 0;
	}

	.hh .blog-top-subnav-wrap.transition-primary {
		transform: translateY(-110px);
		-webkit-transform: translateY(-110px);
	}

	.hh .blog-top-subnav-wrap.scroll-affix {
		transform: translateY(0);
		-webkit-transform: translateY(0);
		z-index: 998;
	}
</style>

				<section class="full-width-block">

					<div class="container-fluid">

						<div class="row flx-container">
							<div class="col-sm-7">
								<div class="blog-content-area">
									<div class="section-breadcrumb">
										  <ol class="m-bread-crumb-list l-bread-crumb-list" itemscope="" itemtype="http://schema.org/BreadcrumbList">

											  <li itemprop="itemListElement" itemscope="" itemtype="http://schema.org/ListItem">
												  <a itemprop="item" href="https://cybersecurity.att.com">
													  <span itemprop="name" style="padding-right: 10px;">AT&T Cybersecurity</span> <span class="glyphicon glyphicon-chevron-right"></span></a>
												  <meta itemprop="position" content="1">
											  </li>
											  <li itemprop="itemListElement" itemscope="" itemtype="http://schema.org/ListItem">
												  <a itemprop="item" href="https://cybersecurity.att.com/blogs">
													  <span itemprop="name" style="padding-left: 10px;">Blog</span></a>
												  <meta itemprop="position" content="2">
											  </li>
										  </ol>
									  </div>
									<div class="blog-title-date-author-area">
										<h1>BotenaGo strikes again - malware source code uploaded to GitHub</h1>
										<div class="date">January 26, 2022 &nbsp;|&nbsp; <a href="/blogs/author/ofer-caspi">Ofer Caspi</a></div>
									</div>
									<div class="blog-body">
										<h1>Executive summary</h1>

<p>In November 2021, AT&amp;T Alien Labs&trade; first published research on our discovery of new malware written in the open-source programming language Golang. The team named this malware &ldquo;BotenaGo.&rdquo; (Read previous article <a href="https://cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits" target="_blank">here</a>.) In this article, Alien Labs is updating that research with new information.</p>

<p>Recently BotenaGo source code was uploaded to GitHub, potentially leading to a significant rise of new malware variants as malware authors will be able to use the source code and adapt it to their objectives. Alien Labs expects to see new campaigns based on BotenaGo variants targeting routers and IoT devices globally. As of the publishing of this article, antivirus (AV) vendor detection for BotenaGo and its variants remains behind with very low detection coverage from most of AV vendors.</p>

<h2>Key takeaways:</h2>

<ul>
	<li>BotenaGo malware source code is now available to any malicious hacker or malware developer.</li>
	<li>New BotenaGo samples were found with very low AV detection (3/60 engines).</li>
	<li>With only 2,891 lines of code, BotenaGo has the potential to be the starting point for many new variants and new malware families using its source code.</li>
</ul>

<h2>Background</h2>

<p>In September 2016, source code of one of the most popular botnets named Mirai was <a href="https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/" target="_blank">leaked</a> and uploaded to one of the hacking community forums, and later uploaded to <a href="https://github.com/jgamblin/Mirai-Source-Code/blob/master/ForumPost.md">GitHub</a> with detailed information on the botnet, its infrastructure, configuration and how to build it.</p>

<p>Since the release of that information, the popularity of Mirai has increased dramatically. Multiple malware variants such as Moobot, Satori, Masuta, and others use the source code of Mirai. They then add unique functionality, which has resulted in these multiple variants causing millions of infections. The Mirai botnet targets mostly routers and IoT devices, and it supports different architectures including Linux x64, different ARM versions, MIPS, PowerPC, and more. Since the Mirai botnet can be now modified and compiled by different adversaries, many new variants have become available over time featuring new capabilities and new exploits.</p>

<p>In our November 2021 research article, Alien Labs first described its findings about the new BotenaGo malware along with technical details. We used online tools such as <a href="https://www.shodan.io/" target="_blank">Shodan</a> to show the potential damage the BotenaGo malware could cause, and its potential for putting millions of IoT devices at risk.</p>

<p>Alien Labs recently discovered that the source code of BotenaGo malware was uploaded to <a href="https://github.com/Egida/kek/blob/19991ef983f838287aa9362b78b4ed8da0929184/loader_multi.go" target="_blank">GitHub</a> on October 16th 2021, allowing any malicious hacker to use, modify, and upgrade it &mdash; &nbsp;or even simply compile it as is and use the source code as an exploit kit, with the potential to leverage all BotenaGo&rsquo;s exploits to attack vulnerable devices. The original source of the code is yet unknown. In the same repository, we have found additional hacking tools collected from several different sources.</p>

<h2>Source code analysis</h2>

<p>The malware source code, containing a total of only 2,891 lines of code (including empty lines and comments), is simple yet efficient. It includes everything needed for a malware attack, including but not limited to:</p>

<ul>
	<li>Reverse shell and telnet loader, which are used to create a backdoor to receive commands from its operator</li>
	<li>Automatic set up of the malware&rsquo;s 33 exploits, giving the hacker a &ldquo;ready state&rdquo; to attack a vulnerable target and infect it with an appropriate payload based on target type or operating system</li>
</ul>

<p>The top of the source code on GitHub shows a comment with the list of current exploits for &ldquo;supported&rdquo; vendors and software, as shown in Figure 1.</p>

<p>&nbsp;&nbsp;<img alt="BotenaGo exploits" data-original="https://cdn-cybersecurity.att.com/blog-content/botenago_exploits.jpg" /></p>

<p style="text-align:center">Figure 1 shows BotenaGo&rsquo;s available exploits for multiple vendors.</p>

<p>As described in our previous blog, the malware initiates a total of 33 exploit functions targeting different routers and IoT devices by calling the function "scannerInitExploits&rdquo; (see figure 2).</p>

<p><img alt="BotenaGo initialization" data-original="https://cdn-cybersecurity.att.com/blog-content/botenago_initialization.jpg" /></p>

<p style="text-align:center">Figure 2 shows the initialization of 33 exploits.</p>

<p>Each exploit function contains the exploit configuration (such as a specific &ldquo;GET&rdquo; request) and specific payload for the targeted system (see figure 3). Some exploits are a chain of commands, such as multiple &ldquo;GET&rdquo; requests (see figures 4 and 5).</p>

<p><img alt="BotenaGo payload" data-original="https://cdn-cybersecurity.att.com/blog-content/botenago_payload.jpg" /></p>

<p style="text-align:center">Figure 3 shows the specific payload for different targets.</p>

<p><img alt="CVE implementation" data-original="https://cdn-cybersecurity.att.com/blog-content/cve_implementation.jpg" /></p>

<p style="text-align:center">Figure 4 shows the implementation of CVE-2020-10987.</p>

<p><img alt="second CVE implementation" data-original="https://cdn-cybersecurity.att.com/blog-content/second_cve_implementation.jpg" /></p>

<p style="text-align:center">Figure 5 shows the implementation of CVE-2020-10173</p>

<p>The code contains additional configuration for a remote server, including available payloads and a path to folders that contains additional script files to execute on infected devices (see figure 6).</p>

<p><img alt="additional configuration" data-original="https://cdn-cybersecurity.att.com/blog-content/additional_configuration.jpg" /></p>

<p style="text-align:center">Figure 6 shows an example of additional configuration.</p>

<p>On top of all that, the main function calls together all of the necessary pieces: setting up a backdoor, loading additional payload scripts, initializing exploit functions, and waiting for commands (see figure 7). It is simple and clean malware creation in just 2,891 lines of code.</p>

<p><img alt="BotenaGo main function" data-original="https://cdn-cybersecurity.att.com/blog-content/botenago_main_function.jpg" /></p>

<p style="text-align:center">Figure 7 shows BotenaGo&rsquo;s main function.</p>

<h2>Additional updates</h2>

<p>Since our first article on BotenaGo, the samples have continued to be used to exploit routers and IoT devices, spreading Mirai botnet malware. Even more worrisome, the samples continue to have a very low AV detection rate, as shown below in <a href="https://www.virustotal.com/gui/file/fef2b32e34ac1b64281c5083e7fc6e055c885820a38fa5eed1f563e38e04c6db" target="_blank">VirusTotal</a> (figure 8).</p>

<p>&nbsp;<img alt="low AV detection" data-original="https://cdn-cybersecurity.att.com/blog-content/low_AV_detection.jpg" /></p>

<p style="text-align:center">Figure 8 shows the low level of antivirus detections for BotenaGo&rsquo;s new variants.</p>

<p>One of the variants is configured to use a new Command and Control (C&amp;C) server (see figure 9).</p>

<p>It&rsquo;s worth noting that the IP address for one of BotenaGo&rsquo;s payload storage servers is included in the list of indicators of compromise (IOC) for detecting exploitation of the <a href="https://logging.apache.org/log4j/2.x/security.html" target="_blank">Apache Log4j security vulnerabilities</a>. Read the <a href="https://cybersecurity.att.com/blogs/labs-research/global-outbreak-of-log4shell" target="_blank">Alien Labs Report on Log4Shell</a>.</p>

<p><img alt="C&amp;C for BotenaGo variant" data-original="https://cdn-cybersecurity.att.com/blog-content/c2_server_for_BotenaGo.jpg" /></p>

<p style="text-align:center">Figure 9 shows a command to configure a C&amp;C server for a BotenaGo variant.</p>

<h2>Recommended actions</h2>

<ol>
	<li>Maintain minimal exposure to the Internet on Linux servers and IoT devices and use a properly configured firewall.</li>
	<li>Install security and firmware upgrades from vendors, as soon as possible.</li>
	<li>Check your system for unnecessary open ports and suspicious processes.</li>
</ol>

<h2>Conclusion</h2>

<p>Today, BotenaGo variants serve as a standalone exploit kit and as a spreading tool for other malware. Now with its source code available to any malicious hacker, new malicious activity can be added easily to the malware. &nbsp;Alien Labs sees the potential for a significant increase in these malware variants, giving rise to potentially new malware families that could put millions of routers and IoT devices at risk of attack.</p>

<h2>Detection methods</h2>

<p>The following associated detection methods are in use by Alien Labs. They can be used by readers to tune or deploy detections in their own environments or for aiding additional research.</p>

<table style="border-collapse:collapse">
	<tbody>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:2px solid #959595; height:27px; width:552px">
			<p>SURICATA IDS SIGNATURES</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:35px; width:552px">
			<p>4001488: AV TROJAN Mirai Outbound Exploit Scan, D-Link HNAP RCE (CVE-2015-2051)</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:552px">
			<p>4000456: AV EXPLOIT Netgear Device RCE (CVE-2016-1555)</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:552px">
			<p>4000898: AV EXPLOIT Netgear DGN2200 ping.cgi - Possible Command Injection ( CVE-2017-6077 )</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:552px">
			<p>2027093: ET EXPLOIT Possible Netgear DGN2200 RCE (CVE-2017-6077)</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:552px">
			<p>2027881: ET EXPLOIT NETGEAR R7000/R6400 - Command Injection Inbound (CVE-2019-6277)</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:552px">
			<p>2027882: ET EXPLOIT NETGEAR R7000/R6400 - Command Injection Outbound (CVE-2019-6277)</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:552px">
			<p>2830690: ETPRO EXPLOIT GPON Authentication Bypass Attempt (CVE-2018-10561)</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:552px">
			<p>2027063: ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561)</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:552px">
			<p>2830690: ETPRO EXPLOIT GPON Authentication Bypass Attempt (CVE-2018-10561)</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:552px">
			<p>2027063: ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561)</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:552px">
			<p>2831296: ETPRO EXPLOIT XiongMai uc-httpd RCE (CVE-2018-10088)</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:552px">
			<p>4001914: AV EXPLOIT DrayTek Unauthenticated root RCE (CVE-2020-8515)</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:552px">
			<p>2029804: ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Outbound (CVE-2020-8515) M1</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:552px">
			<p>2029805: ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Inbound (CVE-2020-8515) M1</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:552px">
			<p>2029806: ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Outbound (CVE-2020-8515) M2</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:552px">
			<p>2029807: ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Inbound (CVE-2020-8515) M2</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:552px">
			<p>4002119: AV EXPLOIT Comtrend Router ping.cgi RCE (CVE-2020-10173)</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:552px">
			<p>2030502: ET EXPLOIT Possible Authenticated Command Injection Inbound - Comtrend VR-3033 (CVE-2020-10173)</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:552px">
			<p>4001814: AV EXPLOIT TOTOLINK Router PostAuth RCE (CVE-2019-19824)</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:552px">
			<p>2029616: ET EXPLOIT Zyxel NAS RCE Attempt Inbound (CVE-2020-9054) M1</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:552px">
			<p>2029617: ET EXPLOIT Zyxel NAS RCE Attempt Inbound (CVE-2020-9054) M2</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:552px">
			<p>4001142: AV EXPLOIT ManagedITSync - Kaseya exploitation (CVE-2017-18362) v1</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:552px">
			<p>4001143: AV EXPLOIT ManagedITSync - Kaseya exploitation (CVE-2017-18362) v2</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:552px">
			<p>2032077: ET EXPLOIT ZTE Cable Modem RCE Attempt (CVE-2014-2321)</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:552px">
			<p>4000897: AV EXPLOIT Netgear DGN2200 dnslookup.cgi Lookup - Possible Command Injection (CVE-2017-6334)</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:552px">
			<p>2027094: ET EXPLOIT Possible Netgear DGN2200 RCE (CVE-2017-6334)</p>
			</td>
		</tr>
	</tbody>
</table>

<h3>Associated indicators (IOCs)</h3>

<p>The following technical indicators are associated with the reported intelligence. A list of indicators is also available in an Alien Labs Open Threat Exchange&trade; (OTX&trade;) pulse. You can access the <a href="https://otx.alienvault.com/pulse/61894367200f8ce537dda952" target="_blank">OTX pulse</a> here. If you are not an OTX member, it is free to <a href="https://cybersecurity.att.com/open-threat-exchange" target="_blank">join</a> our global, open-source threat intelligence community of more than 200,000.</p>

<table style="border-collapse:collapse">
	<tbody>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:2px solid #959595; height:27px; width:97px">
			<p>TYPE</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:2px solid #959595; height:27px; width:311px">
			<p>INDICATOR</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:2px solid #959595; height:27px; width:216px">
			<p>DESCRIPTION</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:97px">
			<p>IP ADDRESS</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:311px">
			<p>[86].110.32.167:80</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:216px">
			<p>BotenaGo C&amp;C</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:97px">
			<p>IP ADDRESS</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:311px">
			<p>[179].43.187.197</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:216px">
			<p>Malware payload server</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:97px">
			<p>IP ADDRESS</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:311px">
			<p>[2].56.56.78</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:216px">
			<p>Malware payload server</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:97px">
			<p>IP ADDRESS</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:311px">
			<p>[209].141.59.56</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:216px">
			<p>Malware payload server</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA1</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:311px">
			<p>cca00b32d610becf3c5ae9e99ce86a320d5dac87</p>

			<p>&nbsp;</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:216px">
			<p>BotenaGo malware hash</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA1</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:311px">
			<p>eb6bbfe8d2860f1ee1b269157d00bfa0c0808932</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:216px">
			<p>BotenaGo malware hash</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA1</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:311px">
			<p>01dc59199691ce32fd9ae77e90dad70647337c25</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:216px">
			<p>BotenaGo malware hash</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA1</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:311px">
			<p>97d5d30a4591df308fd62fa7ffd30ff4e7e4fab9&nbsp;</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:216px">
			<p>BotenaGo Payload</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA1</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:311px">
			<p>e9aa2ce4923dd9e68b796b914a12ef298bff7fe9</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:216px">
			<p>BotenaGo Payload</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA1</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:311px">
			<p>251b02ea2a61b3e167253546f01f37b837ad8cda</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:216px">
			<p>BotenaGo Payload</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA1</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:311px">
			<p>fa10e8b6047fa309a73d99ec139627fd6e1debe1</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:216px">
			<p>BotenaGo Payload</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA1</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:311px">
			<p>154fc9ea3b0156fbcdcb6e7f5ba849c544a4adfd</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:216px">
			<p>BotenaGo Payload</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA1</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:311px">
			<p>0c9ddad09cf02c72435a76066de1b85a2f5cf479</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:216px">
			<p>BotenaGo Payload</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA1</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:311px">
			<p>b4af080ad590470eefaadc41f777a2d196c5b0ba</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:216px">
			<p>BotenaGo Payload</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA1</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:311px">
			<p>87ef2fd66fdce6f6dcf3f96a7146f44836c7215d</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:216px">
			<p>BotenaGo Payload</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA1</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:311px">
			<p>3c2f4fcd66ca59568f89eb9300bb3aa528015e1c</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; width:216px">
			<p>BotenaGo Payload</p>

			<p>&nbsp;</p>
			</td>
		</tr>
	</tbody>
</table>

<h2>Mapped to MITRE ATT&amp;CK</h2>

<p>The findings of this report are mapped to the following <a href="https://attack.mitre.org/" target="_blank">MITRE ATT&amp;CK Matrix</a> techniques:</p>

<ul>
	<li>TA0008: Lateral Movement
	<ul>
		<li>T1210: Exploitation of Remote Services</li>
		<li>T1570: Lateral Tool Transfer</li>
	</ul>
	</li>
	<li>TA0011: Command and Control
	<ul>
		<li>T1571: Non-Standard port</li>
	</ul>
	</li>
</ul>

<p>*Current as of the publishing of this article.</p>
									</div>
									<div class="blog-related">
									<div class="be-ix-link-block"></div>
									</div>
								</div>
								<div class="blog-share">
									<h3>Share this with others</h3>
									<div class="blog-share-social-icons">

										<div class="sharethis-inline-share-buttons"></div>
									</div>
								</div>



								<div class="blog-categories">
								<p style="margin-bottom: 0px;">Tags: <a href="/blogs/tag/malware+research" title="malware research" rel="nofollow">malware research</a>, <a href="/blogs/tag/threat+intellligence" title="threat intellligence" rel="nofollow">threat intellligence</a>, <a href="/blogs/tag/botenago" title="botenago" rel="nofollow">botenago</a></p>
								</div>

							</div>
							
							<div class="col-sm-4 col-md-offset-1">
								<div>
									<div class="blog-sidebar-block">
    <form id="searchbox_002748587151982842036:gharkgtx6cu" action="/search-results/blog" class="sidebar-search">
        <input value="002748587151982842036:gharkgtx6cu" name="cx" type="hidden" />
        <input value="FORID:11" name="cof" type="hidden" />
        <div class="search-button">
            <input value="Search" name="sa" type="submit" />
        </div>
        <div class="search-field">
            <input id="q" name="q" type="text" aria-label="Search our blogs" placeholder="Search our blogs" />
        </div>
    </form>
</div>

									<div class="promo-block">
										
													
			<style type="text/css">#blog-promo-block-v2 .blog-promo-item-v2 {
    box-shadow: 1px 1px 5px #D2D2D229;
    border: 1px solid #D2D2D2;
    margin-bottom: 30px;
}
#blog-promo-block-v2 .blog-promo-item-v2 .blog-promo-resource-type-v2 {
    font-size: 14px;
    color: #0568AE;
    font-weight: 500;
    padding: 15px;
    margin: 0;
}
#blog-promo-block-v2 .blog-promo-item-v2 .blog-promo-item-text-v2 {
    margin-bottom:15px;
}
#blog-promo-block-v2 .blog-promo-item-v2 .blog-promo-item-text-v2 a {
    color: black;
    text-decoration: none;
    font-weight: 500;
}
#blog-promo-block-v2 .blog-promo-item-v2 .blog-promo-item-text-v2 p {
   margin: 0 15px;
}

#blog-promo-block-v2 .blog-promo-item-icon-v2 {
   margin: 15px;
   font-size: 16px;
}
#blog-promo-block-v2 .blog-promo-item-icon-v2 .icon-right {
    width: 20px;
    height: 20px;
    border: 1px solid #0568ae;
    border-radius: 20px;
    font-size: 9.5px;
    line-height: 18px;
    font-weight: 400;
    margin-right: 10px;
    padding-left: 4px;
    top: -1px;
}
@media (max-width: 1024px) {
 .blog-promo-item-v2 img {
    display: none;
  }
}
</style>
<div id="blog-promo-block-v2">
<h3>Featured resources</h3>

<div class="blog-promo-item-v2"><img alt="" src="https://cdn-cybersecurity.att.com/images/uploads/resource-images/5g-and-the-journey.jpg" />
<p class="blog-promo-resource-type-v2">INDUSTRY REPORT</p>

<div class="blog-promo-item-text-v2">
<p><a href="/resource-center/industry-reports/cybersecurity-insights-report-tenth-edition">AT&amp;T Cybersecurity Insights&trade; Report:<br />
5G and the Journey to the Edge</a></p>
</div>

<div class="blog-promo-item-icon-v2"><span aria-hidden="true" class="icon-right glyphicon glyphicon-chevron-right">&nbsp;</span> <a href="/resource-center/industry-reports/cybersecurity-insights-report-tenth-edition">Learn more</a></div>
</div>

<div class="blog-promo-item-v2"><img alt="" src="https://cdn-cybersecurity.att.com/images/uploads/resource-images/security-maturity-assessment.jpg" />
<p class="blog-promo-resource-type-v2">SELF ASSESSMENT</p>

<div class="blog-promo-item-text-v2">
<p><a href="/resource-center/security-maturity-assessment?utm_internal=blog-rail-assess">Benchmark your cybersecurity maturity</a></p>
</div>

<div class="blog-promo-item-icon-v2"><span aria-hidden="true" class="icon-right glyphicon glyphicon-chevron-right">&nbsp;</span> <a href="/resource-center/security-maturity-assessment?utm_internal=blog-rail-assess">Explore</a></div>
</div>
</div>
		
										

									</div>
								</div>
							</div>
						</div>
					</div>
				</section>


			</main>


			
			<style>

    /* Sticky button */
    .desktop .sticky_bottom_keeper {
        height: 80px;
    }
    .sticky_bottom_desktop.fixed {
        height: 80px;
    }
    .sticky_bottom_keeper .btn {
        color: #fff;
    }
    .sticky_bottom_keeper .btn-white {
        border: 2px solid #fff;
    }
    .sticky_bottom_keeper .btn-white.btn-border {
        background: transparent;
    }




    .line.line-8 {
        height: 8px;
    }

    .hh .sticky_bottom_keeper {
        display: none;
    }


</style>
<div class="sticky_bottom_keeper">

    <div class="sticky_bottom sticky_bottom_desktop ibp">
        <a href="/pricing/request-quote?utm_internal=sb_quote" class="btn btn-border btn-white btn-rounded btn-with-arrow">Get price</a>
        <a href="/products/usm-anywhere/free-trial?utm_internal=sb_freetrial_modal" class="btn btn-border btn-white btn-rounded btn-with-arrow">Free trial</a>

    </div>

</div>

			
		


		<footer id="footer" class="hidden-print">
  <div class="container-fluid">
    <div class="row">
      <div class="col-sm-6 col-md-3">
        
        <div class="footer_logo"><a href="https://business.att.com" target="_blank" rel="noopener"><img src="data:image/svg+xml;utf8,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20width%3D%22263px%22%20height%3D%2256px%22%3E%3Crect%20fill%3D%22none%22%20width%3D%22263%22%20height%3D%2257%22%2F%3E%3C%2Fsvg%3E" data-original="https://cdn-cybersecurity.att.com/images/uploads/logos/att_biz_hz_pref_rgb_white.png" alt="AT&T Business"></a></div>
        <div class="footer_featured">

          <div class="footer_featured_title">From the Blog</div>
          <article class="footer_featured_article">
            <div class="footer_featured_article_author clearfix">
	            
										<img src="data:image/svg+xml;utf8,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20width%3D%22150px%22%20height%3D%22150px%22%3E%3Crect%20fill%3D%22none%22%20width%3D%22150%22%20height%3D%22150%22%2F%3E%3C%2Fsvg%3E" data-original="/avatars/uploads/avatar_421_1.jpg" width="150" height="150" alt="Jill Rabach" />
									
              <div class="footer_featured_article_author_data">
                <h4>Jill Rabach</h4>
                <time datetime="2022-05-24">Feb 24, 2022</time>
              </div>
            </div>
            <h3><a href="https://cybersecurity.att.com/blogs/security-essentials/protecting-patients-by-securing-medical-devices-and-the-internet-of-medical-things-iomt" id="footer-link-blog-post">Protecting patients by securing medical devices and the Internet of Medical Things (IoMT)</a></h3>
          </article>
          <a id="footer-link-blog-all" href="/blogs" class="footer_featured_more">Explore All Blog Posts
            &#8250;</a>
        </div>
        

        <div class="social-style">
          <a href="https://www.twitter.com/attcyber/" class="social-link-twitter" target="_blank">Twitter</a>
          <a href="https://www.linkedin.com/company/attcybersecurity/" class="social-link-linkedin" target="_blank">Linkedin</a>
          <a href="https://www.facebook.com/ATTCyber/" class="social-link-facebook" target="_blank">Facebook</a>
          <a href="https://www.youtube.com/c/attcybersecurity" class="social-link-youtube" target="_blank">Youtube</a>
          <a href="https://www.instagram.com/attbusiness/" class="social-link-instagram" target="_blank">Instagram</a>
        </div>
      </div>

      <div class="col-sm-6 col-md-3">
        <div class="footer_links">
          <div class="heading">Who We Are</div>
          <ul>
            <li><a id="footer-link-labs" href="/alien-labs">Alien Labs</a></li>
            <li><a id="footer-link-customers" href="/who-we-are/customers">Customers</a></li>
            <li><a id="footer-link-careers" href="/who-we-are/careers">Careers</a></li>
            <li><a id="footer-link-contact" href="/contact">Contact Us</a></li>
          </ul>
        </div>

        <div class="footer_links">
          <div class="heading">News</div>
          <ul>
            <li><a id="footer-link-news-room" href="/who-we-are">Newsroom</a></li>
            <li><a id="footer-link-events" href="/who-we-are/events">Events</a></li>
            <li><a id="footer-link-blogs" href="/blogs">Blogs</a></li>
          </ul>
        </div>

        <div class="footer_links">
          <div class="heading">Partners</div>
          <ul>
            <li><a id="footer-link-partners" href="/partners">Partner Programs</a></li>
            <li><a id="footer-link-partner-portal" href="/partners/partner-portal/">Partner Portal</a></li>
          </ul>
        </div>
      </div>

      <div class="col-sm-6 col-md-3">
        <div class="footer_links">
          <div class="heading">Products</div>
          <ul>
		  	<li><a id="footer-link-mtdr" href="/products/managed-threat-detection-and-response">AT&T Managed Threat Detection and Response</a></li>
            <li><a id="footer-link-usm-anywhere" href="/products/usm-anywhere">USM Anywhere</a></li>
            <li><a id="footer-link-usm-mssp" href="/products/usm-for-mssp">XDR for MSSPs</a></li>
            <li><a id="footer-link-otx" href="/open-threat-exchange">Open Threat Exchange (OTX)</a></li>
            <li><a id="footer-link-ossim" href="/products/ossim">OSSIM</a></li>

          </ul>
        </div>



        <div class="footer_links">
          <div class="heading">Solutions</div>
          <ul>
            <li><a id="footer-link-cloud-security" href="/solutions/cloud-security-monitoring">Cloud Security Monitoring</a></li>
            <li><a id="footer-link-threat-detection" href="/solutions/threat-detection">Threat Detection</a></li>
            <li><a id="footer-link-ids" href="/solutions/intrusion-detection-system">Intrusion Detection</a></li>
            <li><a id="footer-link-siem" href="/solutions/siem-platform-solutions">SIEM platform solutions</a></li>
            <li><a id="footer-link-vulnerability" href="/solutions/vulnerability-assessment-remediation">Vulnerability
                Assessment</a></li>
            <li><a id="footer-link-all-solutions" class="btn-with-arrow" href="/solutions">See All Solutions</a></li>
          </ul>
        </div>
      </div>

      <div class="col-sm-6 col-md-3">
        <div class="footer_links">
          <div class="heading">Resources</div>
          <ul>
            <li><a id="footer-link-resources" href="/resource-center">Resources</a></li>
            <li><a id="footer-link-blog" href="/blogs">Blogs</a></li>
            <li><a id="footer-link-reference-guide" href="https://www.business.att.com/content/dam/attbusiness/guides/att-information-and-network-security-customer-reference-guide.pdf" target="_blank">Customer Reference Guide</a></li>

          </ul>
        </div>

        <div class="footer_links">
          <div class="heading">Customer Success</div>
          <ul>
            <li><a id="footer-link-support" href="/support">Support &amp; Services</a></li>
            <li><a id="footer-link-customer-portal" href="https://success.alienvault.com" target="_blank">Success Center</a></li>
            <li><a id="footer-link-documentation" href="/documentation">Documentation Center</a></li>
            <li><a id="footer-link-classroom-training" href="/training">Training</a></li>
            <li><a id="footer-link-certification" href="/certification">Certification</a></li>
          </ul>
        </div>

        <div class="footer_contact">
          <a href="/contact" id="footer-button-contact" class="btn btn-blue margin-bottom20">Contact us</a>
        </div>
      </div>
    </div>
    <div class="footer_legal">
      <p class="footer_legal_copy">&copy; Copyright 2022</p>
      <ul class="footer_legal_links">
        <li><a id="footer-link-privacy" href="/legal/privacy-policy">Privacy Policy</a></li>
        <li><a id="footer-link-terms" href="/terms/website-terms-of-use07may2018">Website Terms of Use</a></li>
        <li><a id="footer-link-gdpr" href="/legal/gdpr">GDPR</a></li>
        <li><a id="footer-link-cookie" href="/legal/cookie-policy">Cookie Policy</a></li>
        <li><a id="footer-link-personal-info" href="https://about.att.com/csr/home/privacy/rights_choices.html" target="_blank">Do Not Sell My Personal Information</a></li>

      </ul>
    </div>
  </div>
</footer>

<div id="valid_content"></div>

		
	<script src="https://cdn-cybersecurity.att.com/js/v2/imports/blog-bundle.min.js?v=20220223925944" defer></script>






		



<div class="cookie-notice">
    <p>We use cookies to provide you with a great user experience. By using our website, you agree to our <a href="https://www.att.com/privacy">Privacy Policy</a> and <a href="/terms/website-terms-of-use07may2018">Website Terms of Use</a>.</p>
    <a class="cookie-notice-close" href="#" aria-label="Close Cookie Notice"><span class="glyphicon glyphicon-remove"></span></a>
</div>


<!-- WGT-10310 -->

<!-- END WGT-10310 -->

<script type="text/javascript" async src="https://cdn-cybersecurity.att.com/js/v2/imports/vidyard-av.js" ></script>
<script type="text/javascript" defer src="//play.vidyard.com/embed/v4.js"></script>
<script type="text/javascript" defer src="//play.vidyard.com/v1/progress-events.js"></script>




<script>
if (typeof ddo !== "undefined") {initAdobePageTrackingFooter();}

function initAdobePageTrackingFooter() {
    
    customAdobeTrackingPageLoadObj['page.pageInfo.pageTitle'] = document.title.trim();

    

    customAdobeTrackingPageLoadObj['page.pageInfo.friendlyPageName'] = 'CYB '+ document.title.trim() +' Pg';

    customAdobeTrackingPageLoadObj['page.pageInfo.language'] = 'EN';
    customAdobeTrackingPageLoadObj['page.pageInfo.lineOfBusiness'] = 'Business Solutions';
    customAdobeTrackingPageLoadObj['page.category.pageFunction'] = 'Learn';
    customAdobeTrackingPageLoadObj['page.category.pageOwnership'] = 'Business';
    customAdobeTrackingPageLoadObj['page.attributes.applicationName'] = 'CYB';
    customAdobeTrackingPageLoadObj['page.pageInfo.appCode'] = 'ACS';
    customAdobeTrackingPageLoadObj['page.category.siteSection'] = 'CYB';
    customAdobeTrackingPageLoadObj['page.category.siteSection'] = 'CYB';
    customAdobeTrackingPageLoadObj['page.media.class'] = 'Text';
    customAdobeTrackingPageLoadObj['page.media.category'] = 'Security';
    customAdobeTrackingPageLoadObj['page.location.domain'] = window.location.hostname;
	ddo.pushEvent('pageLoad', 'Page_Load', customAdobeTrackingPageLoadObj);
}
</script>


		<script>
			window.addEventListener('DOMContentLoaded', function() {
				$(window).load(function () {
					var hideSubscribe = AV.Utilities.readCookie('stickyBlogSubscribe');
					// if the cookie hasn't been set...
					if (hideSubscribe == null) {
						setTimeout(function () {
							// make the modal appear
							$('#blog-subscribe-box').fadeIn();
						}, 10000);

						// when the "Close" button is clicked
						$('.blog-subscribe-close-btn').click(function (e) {
							e.preventDefault();
							// set the cookie
							AV.Utilities.setCookie('stickyBlogSubscribe', true, 1);
							$('#blog-subscribe-box').fadeOut();
						});
					}
				});
			});
		</script>

	<script type="text/javascript"  src="/d-cYxd80vb5F2/K_hWq7Wbdt/joKU/G7r1VJkfN9iG/RUpYAQ/HzJsY/jdGUg4"></script></body>
</html>
